[packman] Packman security policy questions

[Aniruddha]

On Sat, 2007-11-03 at 21:20 +0100, Andreas Schneider wrote:
> Aniruddha wrote:
> > Actually this is even more easy then it sounds (and I am not a
> > programmer). It only requires to document some simple rules for package
> > handling (e.g. that packager should check for malware, and the
> > monitoring of some standard security bulletins).
> 
> It is easy? Ok.
> 
> How should we check a new version of an application/program for malware?
> 
> 
> 	-- andreas
> 
Let's first define the context

1 We trust the author of the original package.
2 Checking for malware is only to prevent the (very slight chance) that
$upstream get's hacked and it's packages are modified to provide a
backdoor (rootkit, trojan).
3 We do not want to do a complete source audit, since it's too time
consuming and probably not necessary.

Now on the the question how to check a new version of an
application/program for malware. Since I am not a programmer I do not
not know a lot of screening sourcecode. I did understand however (from
(people who do know how to program) that a malicious modification should
be easy to spot. Can you confirm this?

Here are some general ideas

-How can we make sure $upstream arrives untampered? I do think that md5
of shasum checking is essential in order to verify that a package
arrives exactly as $upstream provides it.

-Put some kind of scanning (f-prot, kaspersky) software on the Packman
repo's.

-The expertise and experience of the packagers is also an important
factor. This experience makes that packagers could potentially see
faster when something is out of the ordinary.

-Set up a testing branch that people like me can use. I use rkhunter and
chrootkit and therefor I should be able to spot problems beforehand.
When no problems have been reported for some while the rpm's can be
moved to stable.

-Set up a security announcement mailing list and recruit people who can
monitor predefined channels for security issues.


-- 
Regards,

Aniruddha